Welcome to this week’s cybersecurity roundup. In recent cybersecurity news, high-profile organizations have fallen victim to significant data breaches. The New York Times had its internal source code and data leaked by an anonymous user on 4chan, while Christie's auction house faced a ransomware attack by the RansomHub gang, resulting in the theft and subsequent auction of sensitive client information.
We report on the details of these breaches that targeted NYT source code and Christie's, the methods employed by the attackers, and the implications for cybersecurity practices.
Here’s what went down.
British auction house Christie's is notifying individuals whose data was stolen by the RansomHub ransomware gang following a recent network breach.
Christie's discovered the security breach, which impacted some of its systems, on May 9, 2024. Upon learning of the incident, Christie's secured its network and enlisted external cybersecurity experts to investigate the breach's impact.
The auction house also notified law enforcement and is cooperating with their investigation.
During the breach analysis, Christie's determined that the threat actor accessed and extracted customer files between May 8 and May 9.
Following the investigation, Christie's reviewed the accessed files to identify individuals whose information may have been affected, obtained their contact details, and alerted them after completing the review on May 30.
In the data breach notification letters sent to affected individuals, Christie's stated, "We are not aware of any attempts to misuse your information as a result of this incident."
Christie's added, "We took additional steps to secure our systems and continue to evaluate technical and organizational measures to avoid the reoccurrence of a similar incident."
The auction house is offering impacted individuals a free twelve-month subscription to the CyEx Identity Defense Total identity theft and fraud monitoring service. This service will alert them to changes in their Experian, Equifax, and TransUnion credit files to detect any potentially fraudulent activity on their credit reports.
While Christie's did not disclose the attackers behind the May breach, the RansomHub gang claimed responsibility by adding the auction house to its dark web leak portal, asserting that they had breached its systems and stolen sensitive client data.
The cybercriminals claimed to have exfiltrated full names, addresses, ID document details, and other sensitive personal information of at least 500,000 Christie's clients.
RansomHub updated Christie's entry, indicating they had sold the stolen data on their own auction platform.
RansomHub, a relatively new operation, demands ransom payments from victims in exchange for not leaking stolen files. If negotiations fail, they often auction the stolen files to the highest bidder.
Recently, RansomHub claimed the breach of leading U.S. telecom provider Frontier Communications, which had to shut down its systems in April to contain a cyberattack. The company warned 750,000 customers this week that their information was exposed in a data breach.
Internal source code and data from The New York Times were leaked on the 4chan message board after being stolen from the company's GitHub repositories in January 2024.
The leak was first reported by VX-Underground, who observed an anonymous user posting a torrent link to a 273GB archive containing the stolen data on Thursday.
"Basically all source code belonging to The New York Times Company, 270GB," the 4chan post stated.
"There are around 5,000 repositories (with less than 30 additionally encrypted, I think), 3.6 million files total, uncompressed tar."
The threat actor has provided a text file listing the 6,223 folders stolen from the company's GitHub repository.
The folder names suggest a wide range of information was stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral game Wordle.
A 'readme' file in the archive indicates the threat actor exploited an exposed GitHub token to access the company's repositories and steal the data.
The Times confirmed the breach occurred in January 2024 after credentials for a cloud-based third-party code platform were exposed. A subsequent email identified this platform as GitHub.
"The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity."
The company emphasized that the breach of its GitHub account did not affect its internal corporate systems and had no impact on its operations.
This leak is the second one published on 4chan this week, following a 415MB leak of internal documents for Disney's Club Penguin game.
Want to catch up on the latest security news? Check out: